Disable access to the administrator plugin when plugin is disabled in config.

Stable team/Jon: can I commit this into stable aswell?

git-svn-id: https://svn.code.sf.net/p/squirrelmail/code/trunk/squirrelmail@9603 7612ce4b-ef26-0410-bec9-ea0150e637f0

diff --git a/ChangeLog b/ChangeLog
index aa749be2bf39bdb4f8023dfd5798b23b0749fea2..7aa047592bc3244196bdd37fbc1abea360742ea6 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -364,6 +364,8 @@ Version 1.5.1 -- CVS
     Thanks to Roalt Zijlstra.
   - Identity code was not checking for domain part in username before setting
     email address (Bug #1219184).
     Thanks to Roalt Zijlstra.
   - Identity code was not checking for domain part in username before setting
     email address (Bug #1219184).

+  - Disallow access to the administrator plugin screens when the plugin is
+    not enabled in the config.

 
 
 Version 1.5.0 - 2 February 2004
 
 
 Version 1.5.0 - 2 February 2004

diff --git a/plugins/administrator/auth.php b/plugins/administrator/auth.php
index 472beaf8a00a868f6558c79494e1d9efb45d7797..0ba719479d51764b6c9b3a40f45142fbb7229656 100644 (file)
--- a/plugins/administrator/auth.php
+++ b/plugins/administrator/auth.php
@@ -19,9 +19,14 @@
  * @return boolean
  */
 function adm_check_user() {
  * @return boolean
  */
 function adm_check_user() {

-    global $PHP_SELF;
+    global $PHP_SELF, $plugins;

     require_once(SM_PATH . 'functions/global.php');
 
     require_once(SM_PATH . 'functions/global.php');
 

+    /* fail if the plugin is not enabled */
+    if ( !in_array('administrator', $plugins) ) {
+        return FALSE;
+    }
+

     if ( !sqgetGlobalVar('username',$username,SQ_SESSION) ) {
         $username = '';
     }
     if ( !sqgetGlobalVar('username',$username,SQ_SESSION) ) {
         $username = '';
     }


@@ -58,4 +63,4 @@ function adm_check_user() {
 function adm_array_trim(&$value,$key) {
     $value=trim($value);
 }
 function adm_array_trim(&$value,$key) {
     $value=trim($value);
 }

-?>
\ No newline at end of file
+?>